From owner-freebsd-security  Tue Jun  1 18:45: 0 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2])
	by hub.freebsd.org (Postfix) with ESMTP id 7144B14DBD
	for <freebsd-security@FreeBSD.ORG>; Tue,  1 Jun 1999 18:44:50 -0700 (PDT)
	(envelope-from akm@mail.theinternet.com.au)
Received: (from akm@localhost)
	by mail.theinternet.com.au (8.9.3/8.9.3) id LAA21482;
	Wed, 2 Jun 1999 11:47:27 +1000 (EST)
	(envelope-from akm)
From: Andrew Kenneth Milton <akm@mail.theinternet.com.au>
Message-Id: <199906020147.LAA21482@mail.theinternet.com.au>
Subject: Re: Shell Account system
In-Reply-To: <Pine.BSF.3.96.990602111848.22875i-100000@zerlargal.humbug.org.au> from Bruce Campbell at "Jun 2, 1999 11:27:49 am"
To: bc@thehub.com.au (Bruce Campbell)
Date: Wed, 2 Jun 1999 11:47:27 +1000 (EST)
Cc: cain@tasam.com, freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL43 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

+----[ Bruce Campbell ]---------------------------------------------
| On Tue, 1 Jun 1999, Cain wrote:
| 
| > In addition to tripwire, monitor the existence of all SUID programs, when
| > new ones appear make sure you know about it. BTW, ircd is usually SUID, so
| > if a user of yours sets that up it's normal. But then how do you know a
| > hacker just hasn't named his root shell ircd... so monitor the sizes of
| > new SUID programs
| 
| Possibly putting my foot in my mouth here, but *why* would ircd need to be
| SUID to anyone?  It commonly runs at the high ports (6667) and thus does
| not need root for that.  
| 
| If you want a specific ircd user to run ircd (either by script or by
| respawning from init), I don't see a need for the ircd binary to be SUID
| to anyone (executable only be that user yes, SUID no)
| 
| Or am I missing something here?  

It's normally suid because the conf files are readable only by the
'owner' -- it's also suid to limit the damage you can do, normally
you setup an 'irc' account and make it suid that.

-- 
Totally Holistic Enterprises Internet|  P:+61 7 3870 0066   |  Andrew
The Internet (Aust) Pty Ltd          |  F:+61 7 3870 4477   |  Milton
ACN: 082 081 472                     |  M:+61 416 022 411   |72 Col .Sig
PO Box 837 Indooroopilly QLD 4068    |akm@theinternet.com.au|Specialist


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message